Chapter 09Law and Ethics

Chapter Overview

Chapter 09 covers the topics of law and ethics. In this chapter readers will learn to identify major national and international laws that relate to the practice ofinformation security as well as come to understand the role of culture as it applies to ethics in information security.

Chapter Objectives

When you complete this chapter, you will be able to:

Differentiate between law and ethics

Identify major national and international laws that relate to the practice of information security

Understand the role of culture as it applies to ethics in information security

Access current information on laws, regulations, and relevant professional organizations

Set-up Notes

This chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours.

Lecture Notes and Teaching Tips with Quick Quizzes

Introduction

As a future information security professional, it is vital that you understand the scope of an organization’s legal and ethical responsibilities.

To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.

By educating employees and management about their legal and ethical obligations and the proper use of information technology and information security, security professionals can keep an organization focused on its primary objectives.

Law and Ethics in Information Security

Laws are rules adopted and enforced by governments to codify expected behavior in modern society.

The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.

Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group.

Quick Quiz

  1. What should an information security practitioner do that can minimize the organization’s legal liabilities?ANSWER: To minimize the organization’s liabilities the information security practitioner must understand the current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge.
  2. What are the major differences between law and ethics?ANSWER:The law carries the sanction of a governing authority and ethics do not. Ethics are also based on cultural mores: relatively fixed moral attitudes or customs of a societal group.

The Legal Environment

The information security professional and managers involved in information security must possess a rudimentary grasp of the legal framework within which their organizations operate.

This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates.

Types of Law

Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations.

Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state.

Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury.

Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law.

Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public law includes criminal, administrative, and constitutional law.

RelevantU.S. Laws

Table 11-1 summarizes the U.S. federal laws relevant to information security:

The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related federal laws and enforcement efforts.

It was amended in October 1996 by the National Information Infrastructure Protection Act of 1996, which modified several sections of the previous act, and increased the penalties for selected crimes.

The CFA Act was further modified by the USA Patriot Act of 2001—the abbreviated name for “Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” which provides law enforcement agencies with broader latitude to combat terrorism-related activities. Some of the laws modified by the Patriot Act date from the earliest laws created to deal with electronic technology.

The Communication Act of 1934 was revised by the Telecommunications Deregulation and Competition Act of 1996, which attempts to modernize the archaic terminology of the older act.

The Computer Security Act of 1987 was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

The Computer Security Act of 1987 charged the National Bureau of Standards, in cooperation with the National Security Agency, with the following tasks:

Developing standards, guidelines, and associated methods and techniques for computer systems

Developing uniform standards and guidelines for most federal computer systems

Developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems

Developing guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice

Developing validation procedures for, and evaluate the effectiveness of, standards and guidelines through research and liaison with other government and private agencies

The Computer Security Act also established a Computer System Security and Privacy Advisory Board within the Department of Commerce.

The Computer Security Act of 1987 also amended the Federal Property and Administrative Services Act of 1949, requiring the National Bureau of Standards to distribute standards and guidelines pertaining to federal computer systems, making such standards compulsory and binding to the extent to which the secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems.

Another provision of the Computer Security Act requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system.

Privacy Laws

Many organizations collect, trade, and sell personal information as a commodity, and many individuals are becoming aware of these practices and looking to the governments to protect their privacy.

In the past it was not possible to create databases that contained personal information collected from multiple sources.

Today, the aggregation of data from multiple sources permits unethical organizations to build databases with alarming quantities of personal information.

The Privacy of Customer Information Section of the section of regulations covering common carriers specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes.

The Federal Privacy Act of 1974 regulates the government’s use of private information. The Federal Privacy Act was created to ensure that government agencies protect the privacy of individuals’ and businesses’ information, and holds those agencies responsible if any portion of this information is released without permission.

The Electronic Communications Privacy Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications.

These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution, which prohibits search and seizure without a warrant.

The Health Insurance Portability & Accountability Act Of 1996 (HIPPA), also known as the Kennedy-Kassebaum Act, is an attempt to protect the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.

HIPPA requires organizations that retain health care information to use information security mechanisms to protect this information, as well as policies and procedures to maintain them, and also requires a comprehensive assessment of the organization's information security systems, policies, and procedures. HIPPA provides guidelines for the use of electronic signatures based on security standards ensuring message integrity, user authentication, and nonrepudiation.

HIPPA has five fundamental privacy principles:

  1. Consumer control of medical information
  2. Boundaries on the use of medical information
  3. Accountability for the privacy of private information
  4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual
  5. Security of health information

The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 contains a number of provisions that affect banks, securities firms, and insurance companies.

This act requires all financial institutions to disclose their privacy policies, describing how they share nonpublic personal information, and describing how customers can request that their information not be shared with third parties.

The act also ensures that the privacy policies in effect in an organization are fully disclosed when a customer initiates a business relationship, and distributed at least annually for the duration of the professional association.

Export and Espionage Laws

In an attempt to protect intellectual property and competitive advantage, Congress passed the Economic Espionage Act (EEA) in 1996.

This law attempts to protect trade secrets “from the foreign government that uses its classic espionage apparatus to spy on a company, to the two American companies that are attempting to uncover each other's bid proposals, or to the disgruntled former employee who walks out of his former company with a computer diskette full of engineering schematics.”

The Security and Freedom through Encryption Act of 1997 provides guidance on the use of encryption, and institutes measures of public protection from government intervention. Specifically, the Act reinforces an individual’s right to use or sell encryption algorithms, without concern for the impact of other regulations requiring some form of key registration and prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence.

U.S. Copyright Law

U.S. copyright law extends protection to intellectual property, which includes words published in electronic formats.

The doctrine of fair use allows material to be quoted for the purpose of news reporting, teaching, scholarship, and a number of other related activities, so long as the purpose is educational and not for profit, and the usage is not excessive.

Proper acknowledgement must be provided to the author and/or copyright holder of such works, including a description of the location of source materials by using a recognized form of citation.

Freedom of Information Act of 1966 (FOIA)

All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person.

The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies.

Sarbanes-Oxley Act of 2002

The U.S. Congress enacted the Sarbanes-Oxley Act of 2002 to enforce accountability for the financial record keeping and reporting at publicly traded corporations.

The law requires that the CEO and chief financial officer (CFO) assume direct and personal accountability for the completeness and accuracy of a publicly traded organization’s financial reporting and record-keeping systems.

As these executives attempt to ensure that the systems used to record and report are sound—often relying upon the expertise of CIOs and CISOs to do so—the related areas of availability and confidentiality are also emphasized.

INTERNATIONAL LAWS AND LEGAL BODIES

Many domestic laws and customs do not apply to international trade, which is governed by international treaties and trade agreements.

Because of the political complexities of the relationships among nations and cultural differences, there are currently few international laws relating to privacy and information security.

European Council Cyber-Crime Convention

Recently the Council of Europe drafted the European Council Cyber-Crime Convention, which empowers an international task force to oversee a range of Internet security functions, and to standardize technology laws across international borders.

It also attempts to improve the effectiveness of international investigations into breaches of technology law.

The overall goal of the convention is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process.

Digital Millennium Copyright Act (DMCA)

The Digital Millennium Copyright Act (DMCA) is a U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement especially via the removal of technological copyright protection measures.

The European Union also put forward Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 that increases individual rights to process and freely move personal data.

The United Kingdom has already implemented a version of this directive called the Database Right.

State and Local Regulations

It is the responsibility of information security professionals to understand state laws and regulations and ensure that their organization’s security policies and procedures comply with the laws and regulations.

For example, the State of Georgia recently passed the Georgia Computer Systems Protection Act, which has various computer security provisions, and establishes specific penalties for use of information technology to attack or exploit information systems in organizations.

TheGeorgia legislature also passed the Georgia Identity Theft Law in 1998, which requires that a business may not discard a record containing personal information unless it, shreds, erases, modifies or otherwise makes the information irretrievable.

Policy versus Law

As an information security professional, you must be aware of the legal environment in which your organization operates, and of how information security is maintained by means of policy.

The key difference between policy and law is that ignorance is an acceptable defense, and therefore policies must be:

Distributed to all individuals who are expected to comply with them

Readily available for employee reference

Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees

Acknowledged by the employee, usually by means of a signed consent form

Quick Quiz

  1. What is the Federal Privacy Act?ANSWER:The Federal Privacy Act of 1974 regulates the government’s use of private information. The Federal Privacy Act was created to ensure that government agencies protect the privacy of individuals’ and businesses’ information, and holds those agencies responsible if any portion of this information is released without permission.

Ethical Concepts in Information Security

The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework.

However, those employed in the area of information security may be expected to be more articulate about the topic than others in the organization, and often must withstand a higher degree of scrutiny.

The Ten Commandments of Computer Ethics

—from The Computer Ethics Institute

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people's computer work.
  3. Thou shalt not snoop around in other people's computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people's computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people's intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Differences in Ethical Concepts

Studies reveal that individuals of different nationalities have different perspectives on the ethics of computer use.

Difficulties arise when one nationality’s ethical behavior does not correspond to that of another national group.

Ethics and Education

Differences in computer use ethics are not exclusively cultural.

Differences are found among individuals within the same country, within the same social class, and within the same company.

Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education.

Employees must be trained and kept up to date on information security topics, including the expected behaviors of an ethical employee.

Deterring Unethical and Illegal Behavior

It is the responsibility of information security personnel to do everything in their power to deter unethical and illegal acts, using policy, education and training, and technology as controls or safeguards to protect the information and systems.

Many security professionals understand technological means of protection, but many underestimate the value of policy.

There are three general categories of unethical behavior that organizations and society should seek to eliminate:

  • Ignorance
  • Accident
  • Intent

Deterrence is the best method for preventing an illegal or unethical activity. Laws, policies, and technical controls are all examples of deterrents. However, it is generally agreed that laws and policies and their associated penalties only deter if three conditions are present:

  • Fear of penalty:
  • Probability of being caught:.
  • Probability of penalty being administered

Quick Quiz

  1. How can the information security professional deter unethical and illegal behavior of an employee?ANSWER:Information security personnel should do everything in their power to deter unethical and illegal acts, using policy, education and training, and technology as controls or safeguards to protect the information and systems.

Certifications and Professional Organizations